Will the GDPR prevent the next headline-grabbing data breach?

Gavin Millard says that while having a regulation such as the EU GDPR in place would have reduced the chance of a breach the size of Yahoo!, practicing good cyber-hygiene and timely disclosure have the best effects when dealing with any major breach that compromises personal data.

In a world where new malware and vulnerabilities are discovered every day, one of the more concerning aspects of recent high-profile data breaches are the long periods of time between detection of the compromise and disclosure of the breach.

The revelation that the Yahoo! breach was discovered nearly two years before it was disclosed has highlighted the ambiguity of the US Securities and Exchange Commission (SEC) 2011 requirements that detail cyber-attack disclosures. As a result, pressure is being placed on the agency to investigate not only if senior executives at Yahoo! acted appropriately when disclosing the attack, but also whether the current disclosures process is adequate.

With the European Union (EU) General Data Protection Regulation (GDPR) introduction just 18 short months away, there is even less room for uncertainty.

Will legislation finally be enough to call time on an era of massive data breaches?

The longer an organisation waits to disclose a breach, the more likely it is that the users exposed will be leveraged for further exploitation. It stands to reason then that if we’re going to lessen the impact and risk of a breach, stronger security measures and faster disclosure times must be enforced.

In May 2018, the EU GDPR will impose strict data breach disclosure regulations, requiring organisations to notify authorities of any data loss incident ‘without undue delay and, where feasible, not later than 72 hours.’ That might seem like an impossible standard, but as attackers become more sophisticated, this level of accountability can lessen the impact on potential victims.

What perhaps is more concerning is that the latest developments in the Yahoo! breach suggest the company lacked sufficient investment in basic security measures.